General
-
Target
file.bin
-
Size
3.9MB
-
Sample
200914-ytwdm591kj
-
MD5
370f78f7032ad6a8a34ac1e662f7532c
-
SHA1
5bc4edf95bcbb5385ba7aeef170095de9e855d2e
-
SHA256
d489e786f3f7451df3db5bd5dd3de6519a48a1271986d894b29412809e952cf4
-
SHA512
c60ae2bd556e9e46c5138fc6ec932d44dac4bf2a1de13143b36873d86a502dfca0a225b493c206359950a2c69880f0e5d5a4aada5cdc3ccab723d390a6162843
Static task
static1
Behavioral task
behavioral1
Sample
file.bin.exe
Resource
win7v200722
Malware Config
Extracted
danabot
89.44.9.132
64.188.23.70
179.43.133.35
45.147.231.218
89.45.4.126
Targets
-
-
Target
file.bin
-
Size
3.9MB
-
MD5
370f78f7032ad6a8a34ac1e662f7532c
-
SHA1
5bc4edf95bcbb5385ba7aeef170095de9e855d2e
-
SHA256
d489e786f3f7451df3db5bd5dd3de6519a48a1271986d894b29412809e952cf4
-
SHA512
c60ae2bd556e9e46c5138fc6ec932d44dac4bf2a1de13143b36873d86a502dfca0a225b493c206359950a2c69880f0e5d5a4aada5cdc3ccab723d390a6162843
-
Danabot x86 payload
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Identifies Wine through registry keys
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-